DANE validation fails on e.email / murena.io
- Impacted Application: incoming Mail on e.email / murena.io
The problem
messages bounce with "7/8/2025 11:56:18 PM - Server at murena.io (95.217.246.96) returned '450 4.7.323 tlsa-invalid: The domain failed DANE validation [Message=450 4.7.323 tlsa-invalid: The domain failed DANE validation] [LastAttemptedServerName=murena.io] [LastAttemptedIP=95.217.246.96:25] [SmtpSecurity=11;-1] SY2PEPF00005069.ausprd01.prod.outlook.com 2025-07-08T23:56:25.004Z 08DDBE64B054E0CE'"
Technical details
in the thread https://community.e.foundation/t/problems-with-receiving-e-mails/71762 I speculate this is on not publishing all letsencrypt signing certification digests in the TLSA record.
At time of writing there was a mismatch of published TLSA record cert digest at _dane.ecloud.global and the newly (6th July) issued tls cert offeres on smtp port ecloud.global
Feb to July the smtp tls cert were R11 signed, aligning with the TLSA record. The renewed cert got R10 signed, causing the validation failure.
there are more user reports at:
Solution
A good explanation and solution comes from https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html to include the group of letsencrypt signing certs in TLSA records.
When you do publish TLSA records matching a Let's Encrypt issuing CA, make sure to publish the full set of records for ALL the related CAs
In general, the advice seems to be to switch to DANE-EE 3 1 1